[nsp-sec] DDoS in progress

[Matthew.Swaar at us-cert.gov]

The Department of Justice got some packet love last week from 5 - 8
October.  It appears to have resumed as of ~0217GMT 12 October.  The
target is (still) 'www.deadiversion.usdoj.gov' on IP 149.101.26.30 and
the attack is ongoing as of this writing.  

Attack vectors are 80-TCP, 80-UDP, and ICMP echo requests at the least.

Attached are two files with IPS believed to be participating in the
attack.  Each source IP in the list transmitted at least 5k packets
during a 40 minute window of ~ 0300-0340 over TCP-80.  The IPS that met
the previous criteria and also appeared to complete a 3-way handshake
are in 'unspoofed_attackers_80tcp_12oct.txt'.  IPS that may or may not
have completed a 3-way handshake are in the 'attackers_80tcp_12oct.txt'
file.  (There is obviously overlap)

Unfortunately, I cannot currently bulk resolve the IPS themselves, my
apologies.

Any mitigation/squashing that can be provided (short of blackholing the
dest) would be appreciated.



Very Respectfully,

US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: unspoofed_attackers_80tcp_12oct.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20091011/c5092db6/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: attackers_80tcp_12oct.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20091011/c5092db6/attachment-0003.txt>